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Amendments to the Claims: 

This listing of claims will replace all prior versions, and listings, of claims in the application: 
Listing of Claims: 

1 . (currently amended) A method for assigning a partially ordered set of classification 
levels to a set of data attributes, comprising: 

(a) providing at least one simple constraint imposing a classification level boundary 
for an associated attribute; 

(b) providing at least one complex constraint imposing another classification level 
boundary relating collectively to an associated collection of attributes; and \ 

(c) assigning the classification levels to the attributes in a manner that satisfies the 
simple constraints and the complex constraints and avoids overclassifying the attributes, and 

wherein the assigning is done by use of a computer system according to an automatic 
algorithm having a complexity no greater than polynomial with respect to a size of the 
constraints and of the partially ordered set. 

2. (original) The method of claim 1 , wherein at least one of the classification level boundary 
and the another classification level boundary represents an upper bound. 

3. (original) The method of claim 1 , wherein at least one of the classification level boundary 
and the another classification level boundary represents a lower bound. 

4. (original) The method of claim 1, wherein at least one of the classification level boundary 
and the another classification level boundary specifies a particular classification level as a 
boundary. 

5. (original) The method of claim 1 , wherein at least one of the classification level boundary 
and the another classification level boundary is specified in terms of a classification level to be 
assigned to one of the attributes. 
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6. (original) The method of claim 1, wherein the at least one complex constraint imposes a 
lower bound on the least upper bound of the levels assigned to the associated collection of 
attributes. 

7. (original) The method of claim 1 , wherein the at least one complex constraint requires that 
at least one of the classification levels assigned to the associated collection of attributes is greater 
than a lower bound. 

8. (original) The method of claim 1 , wherein the at least one complex constraint comprises a 
constraint selected from the group of {inference constraints, association constraints, and 
integrity constraints}. 

9. (original) The method of claim 1, wherein the partially ordered set is a fully ordered set. 

10. (original) The method of claim 1, wherein the method is used to implement an information 
security policy. 

1 1 . (original) The method of claim 1, wherein the method is used to implement a database 
confidentiality policy. 

12. (original) The method of claim 1, further including providing one or more soft constraints 
whose satisfaction is not mandatory, and wherein assigning the classification levels to the 
attributes includes selecting among a plurality of possible assignments based at least partly upon 
satisfaction of the soft constraints. 

13. (original) The method of claim 1, further including checking the simple constraints and the 
complex constraints for consistency. 

14. (original) The method of claim 1, wherein assigning the classification levels to the 
attributes is done in a manner that does not overclassify any of the attributes. 
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1 5 . (original) The method of claim 1 , wherein assigning the classification levels to the 
attributes is done in a manner that avoids overclassifying the attributes to a desired extent. 

16. (original) The method of claim 1, wherein the complexity of the automatic algorithm is no 
greater than quadratic with respect to a size of the constraints and of the partially ordered set of 
levels. 

17. (original) The method of claim 1, wherein the simple constraints and the complex 
constraints include one or more acyclic constraints, and the method further includes directly 
assigning to the attribute associated with each of the acyclic constraints the lowest classification 
level that satisfies the acyclic constraint. 

18. (original) The method of claim 1, wherein the simple constraints and the complex 
constraints are acyclic, and the complexity of the automatic algorithm is no greater than linear 
with respect to a size of the acyclic constraints and of the partially ordered set of levels. 

19. (currently amended) A method for assigning a partially ordered set of levels to a set of 
objects, comprising: 

(a) providing at least one simple constraint imposing a level boundary for an associated 
object; 

(b) providing at least one complex constraint imposing another level boundary relating 
collectively to an associated collection of objects; and 

(c) assigning the levels to the objects in a manner that satisfies the simple constraints and the 
complex constraints and avoids overclassifying the objects, and 

wherein the assigning is done by use of a computer system according to an automatic 
algorithm having a complexity no greater than polynomial with respect to a size of the 
constraints and of the partially ordered set. 

20. (currently amended) An apparatus for assigning a partially ordered set of levels to a set 
of objects, comprising: 

(a) means for representing at least one simple constraint imposing a level boundary for an 
associated object; 
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(b) means for representing at least one complex constraint imposing another level boundary 
relating collectively to an associated collection of objects; and 

(c) means for assigning the levels to the objects by use of a computer system in a manner 
that satisfies the simple constraints and the complex constraints and avoids overclassifying the 
objects, and further being operable to perform the assigning according to an automatic algorithm 
having a complexity no greater than polynomial with respect to a size of the constraints and of 
the partially ordered set. 

2 1 . (currently amended) A method for assigning access classification levels from a 
partially ordered set to a plurality of data attributes, comprising 

(a) providing one or more upper bound constraints each imposing an upper bound on the 
classification level to be assigned to an associated data attribute; 

(b) providing one or more lower bound constraints each imposing a lower bound relating 
collectively to the classification levels to be assigned to an associated collection of the data 
attributes; 

(c) determining an initial assignment of classification levels that satisfies the upper bound 
and lower bound constraints by use of a computer system ; and 

(d) iteratively decrementing the levels assigned to each attribute while continuing to satisfy 
all of the provided constraints by use of the computer system , thereby tending to decrease the 
overclassification of attributes and to increase data availability. 

22. (original) The method of claim 20, wherein the initial classification is found by assigning 
the highest classification level from the partially ordered set to each attribute and iteratively 
lowering the levels as required to satisfy all upper bound constraints. 

23. (original) The method of claim 22, wherein the initial classification is found by assigning 
the lowest classification level from the partially ordered set to each attribute and increasing their 
levels until a classification that satisfies all constraints is found. 

24. (currently amended) A method for determining a minimal security classification for 
one or more attributes in a data set, comprising: 
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generating a constraint graph by use of a computer system , the constraint graph having 
nodes with different security levels and nodes with different attributes, the security level nodes 
and the attribute nodes being connected together to form a lattice; 

enforcing one or more upper bound security constraints by use of the computer system 
wherein the upper bound constraint corresponds to the maximum security classification for the 
attribute to permit access to the attribute by as many people as possible; 

providing one or more lower bound constraints that protect the attribute from association 
and inference attacks; and 

determining a minimal security classification for the attribute by use of the computer 
system based on the upper bound constraint and the one or more lower bound constraints so that 
the attribute is resistant to association and inference attacks yet accessible to many people as 
possible. 

25. (original) The method of Claim 24, wherein enforcing the upper bound security constraint 
further comprises propagating the upper bound constraint from the security node corresponding 
to the upper bound constraint through each attribute node of the constraint graph, determining, at 
each attribute node, if the security level of the attribute node dominates that propagated security 
level and lowering the security level of the attribute node to below the propagated security level 
if the propagated security level does not dominate the security level of the attribute node and the 
other constraints on the attribute node are not violated. 

26. (original) The method of Claim 24, wherein determining the minimal security 
classification further comprises determining if the lower bound constraint is a cyclic constraint 
or an acyclic constraint, the cyclic constraints being resolved using a cyclic solving process and 
the acyclic constraints being resolves using an acyclic solving process wherein the cyclic 
constraint has a loop in the constraint graph. 

27. (original) The method of Claim 26, wherein the acyclic solving process further comprises 
determining if the acyclic constraint is simple or complex, the simple acyclic constraint having 
no hypernodes in the constraint graph and the complex acyclic constraint having one or more 
hypernodes containing two or more attributes. 
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28. (original) The method of Claim 27, wherein solving for the simple acyclic constraint 
further comprises propagating the security levels in the constraint graph associated with the 
lower bound constraints to the attributes nodes to determine the minimal security classification 
for each attribute node. 

29. (original) The method of Claim 28, wherein solving the complex acyclic constraint further 
comprises upgrading the security level associated with the attributes in the hypernode of the 
constraint graph. 

30. (original) The method of Claim 26, wherein the cyclic solving process further comprises 
determining if the cyclic constraint is simple or complex, the simple cyclic constraint having no 
hypernode in the constraint graph and the complex cyclic constraint having one or more 
hypernodes containing two or more attributes. 

3 1 . (original) The method of Claim 30, wherein solving the simple cyclic constraint further 
comprises assigning the same security level to the attribute nodes contained in the simple cycle. 

32. (original) The method of Claim 30, wherein solving the complex cyclic constraint further 
comprises assigning the highest security level to each attribute in the complex cyclic constraint, 
lowering the security level of a selected attribute in the complex cyclic constraint and lowering 
the security level of another attribute if the lowering of the selected attribute did not violate any 
constraints. 

33. (original) The method of Claim 32, wherein solving the complex cyclic constraint further 
comprises propagating the security levels in the constraint graph associated with the lower 
bound constraints to the attributes nodes to determine the minimal security classification for 
each attribute node. 

34. (currently amended) A system for determining a minimal security classification for 
one or more attributes in a data set, comprising: 
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means for generating a constraint graph, the constraint graph having nodes with different 
security levels and nodes with different attributes, the security level nodes and the attribute 
nodes being connected together to form a lattice; 

means for enforcing one or more upper bound security constraints by use of a computer 
system wherein the upper bound constraint corresponds to the maximum security classification 
for the attribute to permit access to the attribute by as many people as possible; 

means for providing one or more lower bound constraints that protect the attribute from 
association and inference attacks; and 

means for determining a minimal security classification for the attribute by use of the 
computer system based on the upper bound constraint and the one or more lower bound 
constraints so that the attribute is resistant to association and inference attacks yet accessible to 
many people as possible. 

35. (original) The system of Claim 34, wherein the enforcing means further comprises means 
for propagating the upper bound constraint from the security node corresponding to the upper 
bound constraint through each attribute node of the constraint graph, means for determining, at 
each attribute node, if the security level of the attribute node dominates that propagated security 
level and means for lowering the security level of the attribute node to below the propagated 
security level if the propagated security level does not dominate the security level of the attribute 
node and the other constraints on the attribute node are not violated. 

36. (original) The system of Claim 34, wherein the means for determining the minimal security 
classification further comprises means for determining if the lower bound constraint is a cyclic 
constraint or an acyclic constraint, the cyclic constraints being resolved using a cyclic solving 
means and the acyclic constraints being resolves using an acyclic solving means wherein the 
cyclic constraint has a loop in the constraint graph. 

37. (original) The system of Claim 36, wherein the acyclic solving means further comprises 
means for determining if the acyclic constraint is simple or complex, the simple acyclic 
constraint having no hypernodes in the constraint graph and the complex acyclic constraint 
having one or more hypernodes containing two or more attributes. 
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38. (original) The system of Claim 37, wherein means for solving for the simple acyclic 
constraint further comprises means for propagating the security levels in the constraint graph 
associated with the lower bound constraints to the attributes nodes to determine the minimal 
security classification for each attribute node. 

39. (original) The system of Claim 38, wherein means for solving the complex acyclic 
constraint further comprises means for upgrading the security level associated with the attributes 
in the hypernode of the constraint graph. 

40. (original) The system of Claim 36, wherein the cyclic solving means further comprises 
means for determining if the cyclic constraint is simple or complex, the simple cyclic constraint 
having no hypernode in the constraint graph and the complex cyclic constraint having one or 
more hypernodes containing two or more attributes. 

41 . (original) The system of Claim 40, wherein means for solving the simple cyclic constraint 
further comprises means for assigning the same security level to the attribute nodes contained in 
the simple cycle. 

42. (original) The system of Claim 40, wherein means for solving the complex cyclic 
constraint further comprises means for assigning the highest security level to each attribute in 
the complex cyclic constraint, means for lowering the security level of a selected attribute in the 
complex cyclic constraint and means for lowering the security level of another attribute if the 
lowering of the selected attribute did not violate any constraints. 

43. (original) The system of Claim 42, wherein means for solving the complex cyclic 
constraint further comprises means for propagating the security levels in the constraint graph 
associated with the lower bound constraints to the attributes nodes to determine the minimal 
security classification for each attribute node. 
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